author | Sylvain Thénault <sylvain.thenault@logilab.fr> |
Wed, 15 Sep 2010 17:20:56 +0200 | |
branch | stable |
changeset 6249 | 1729f53b3e42 |
parent 5890 | 141b935a38fc |
child 6340 | 470d8e828fda |
permissions | -rw-r--r-- |
5421
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5419
diff
changeset
|
1 |
# copyright 2003-2010 LOGILAB S.A. (Paris, FRANCE), all rights reserved. |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5419
diff
changeset
|
2 |
# contact http://www.logilab.fr/ -- mailto:contact@logilab.fr |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5419
diff
changeset
|
3 |
# |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5419
diff
changeset
|
4 |
# This file is part of CubicWeb. |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5419
diff
changeset
|
5 |
# |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5419
diff
changeset
|
6 |
# CubicWeb is free software: you can redistribute it and/or modify it under the |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5419
diff
changeset
|
7 |
# terms of the GNU Lesser General Public License as published by the Free |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5419
diff
changeset
|
8 |
# Software Foundation, either version 2.1 of the License, or (at your option) |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5419
diff
changeset
|
9 |
# any later version. |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5419
diff
changeset
|
10 |
# |
5424
8ecbcbff9777
replace logilab-common by CubicWeb in disclaimer
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5421
diff
changeset
|
11 |
# CubicWeb is distributed in the hope that it will be useful, but WITHOUT |
5421
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5419
diff
changeset
|
12 |
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5419
diff
changeset
|
13 |
# FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5419
diff
changeset
|
14 |
# details. |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5419
diff
changeset
|
15 |
# |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5419
diff
changeset
|
16 |
# You should have received a copy of the GNU Lesser General Public License along |
8167de96c523
proper licensing information (LGPL-2.1). Hope I get it right this time.
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5419
diff
changeset
|
17 |
# with CubicWeb. If not, see <http://www.gnu.org/licenses/>. |
5886 | 18 |
"""functional tests for server'security""" |
19 |
||
0 | 20 |
import sys |
21 |
||
22 |
from logilab.common.testlib import unittest_main, TestCase |
|
2773
b2530e3e0afb
[testlib] #345052 and #344207: major test lib refactoring/cleanup + update usage
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2608
diff
changeset
|
23 |
from cubicweb.devtools.testlib import CubicWebTC |
0 | 24 |
|
25 |
from cubicweb import Unauthorized, ValidationError |
|
26 |
from cubicweb.server.querier import check_read_access |
|
27 |
||
2773
b2530e3e0afb
[testlib] #345052 and #344207: major test lib refactoring/cleanup + update usage
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2608
diff
changeset
|
28 |
class BaseSecurityTC(CubicWebTC): |
0 | 29 |
|
30 |
def setUp(self): |
|
2773
b2530e3e0afb
[testlib] #345052 and #344207: major test lib refactoring/cleanup + update usage
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2608
diff
changeset
|
31 |
CubicWebTC.setUp(self) |
0 | 32 |
self.create_user('iaminusersgrouponly') |
3877
7ca53fc72a0a
reldefsecurity branch :
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3252
diff
changeset
|
33 |
self.readoriggroups = self.schema['Personne'].permissions['read'] |
7ca53fc72a0a
reldefsecurity branch :
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3252
diff
changeset
|
34 |
self.addoriggroups = self.schema['Personne'].permissions['add'] |
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
35 |
|
0 | 36 |
def tearDown(self): |
2773
b2530e3e0afb
[testlib] #345052 and #344207: major test lib refactoring/cleanup + update usage
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2608
diff
changeset
|
37 |
CubicWebTC.tearDown(self) |
3877
7ca53fc72a0a
reldefsecurity branch :
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3252
diff
changeset
|
38 |
self.schema['Personne'].set_action_permissions('read', self.readoriggroups) |
7ca53fc72a0a
reldefsecurity branch :
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3252
diff
changeset
|
39 |
self.schema['Personne'].set_action_permissions('add', self.addoriggroups) |
0 | 40 |
|
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
41 |
|
0 | 42 |
class LowLevelSecurityFunctionTC(BaseSecurityTC): |
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
43 |
|
0 | 44 |
def test_check_read_access(self): |
45 |
rql = u'Personne U where U nom "managers"' |
|
3252
c0e10da6f1cf
tests update
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2920
diff
changeset
|
46 |
rqlst = self.repo.vreg.rqlhelper.parse(rql).children[0] |
0 | 47 |
origgroups = self.schema['Personne'].get_groups('read') |
3877
7ca53fc72a0a
reldefsecurity branch :
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3252
diff
changeset
|
48 |
self.schema['Personne'].set_action_permissions('read', ('users', 'managers')) |
4711
7ef3b029e10b
[test] we should properly use vreg method to compute solutions
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4691
diff
changeset
|
49 |
self.repo.vreg.solutions(self.session, rqlst, None) |
0 | 50 |
solution = rqlst.solutions[0] |
5419
0b7805928a27
[repo security] deal with rewriten constant nodes in check_read_access, necessary when repo is used as an external source
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4915
diff
changeset
|
51 |
check_read_access(self.session, rqlst, solution, {}) |
0 | 52 |
cnx = self.login('anon') |
53 |
cu = cnx.cursor() |
|
54 |
self.assertRaises(Unauthorized, |
|
55 |
check_read_access, |
|
5419
0b7805928a27
[repo security] deal with rewriten constant nodes in check_read_access, necessary when repo is used as an external source
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4915
diff
changeset
|
56 |
self.session, rqlst, solution, {}) |
0 | 57 |
self.assertRaises(Unauthorized, cu.execute, rql) |
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
58 |
|
0 | 59 |
def test_upassword_not_selectable(self): |
60 |
self.assertRaises(Unauthorized, |
|
1398
5fe84a5f7035
rename internal entity types to have CW prefix instead of E
sylvain.thenault@logilab.fr
parents:
389
diff
changeset
|
61 |
self.execute, 'Any X,P WHERE X is CWUser, X upassword P') |
0 | 62 |
self.rollback() |
63 |
cnx = self.login('iaminusersgrouponly') |
|
64 |
cu = cnx.cursor() |
|
65 |
self.assertRaises(Unauthorized, |
|
1398
5fe84a5f7035
rename internal entity types to have CW prefix instead of E
sylvain.thenault@logilab.fr
parents:
389
diff
changeset
|
66 |
cu.execute, 'Any X,P WHERE X is CWUser, X upassword P') |
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
67 |
|
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
68 |
|
5888
3ee80d487f11
[security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5886
diff
changeset
|
69 |
class SecurityRewritingTC(BaseSecurityTC): |
3ee80d487f11
[security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5886
diff
changeset
|
70 |
def hijack_source_execute(self): |
3ee80d487f11
[security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5886
diff
changeset
|
71 |
def syntax_tree_search(*args, **kwargs): |
3ee80d487f11
[security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5886
diff
changeset
|
72 |
self.query = (args, kwargs) |
3ee80d487f11
[security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5886
diff
changeset
|
73 |
return [] |
3ee80d487f11
[security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5886
diff
changeset
|
74 |
self.repo.system_source.syntax_tree_search = syntax_tree_search |
3ee80d487f11
[security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5886
diff
changeset
|
75 |
|
3ee80d487f11
[security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5886
diff
changeset
|
76 |
def tearDown(self): |
3ee80d487f11
[security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5886
diff
changeset
|
77 |
self.repo.system_source.__dict__.pop('syntax_tree_search', None) |
3ee80d487f11
[security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5886
diff
changeset
|
78 |
BaseSecurityTC.tearDown(self) |
3ee80d487f11
[security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5886
diff
changeset
|
79 |
|
3ee80d487f11
[security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5886
diff
changeset
|
80 |
def test_not_relation_read_security(self): |
3ee80d487f11
[security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5886
diff
changeset
|
81 |
cnx = self.login('iaminusersgrouponly') |
3ee80d487f11
[security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5886
diff
changeset
|
82 |
self.hijack_source_execute() |
3ee80d487f11
[security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5886
diff
changeset
|
83 |
self.execute('Any U WHERE NOT A todo_by U, A is Affaire') |
3ee80d487f11
[security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5886
diff
changeset
|
84 |
self.assertEquals(self.query[0][1].as_string(), |
3ee80d487f11
[security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5886
diff
changeset
|
85 |
'Any U WHERE NOT EXISTS(A todo_by U), A is Affaire') |
3ee80d487f11
[security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5886
diff
changeset
|
86 |
self.execute('Any U WHERE NOT EXISTS(A todo_by U), A is Affaire') |
3ee80d487f11
[security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5886
diff
changeset
|
87 |
self.assertEquals(self.query[0][1].as_string(), |
3ee80d487f11
[security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5886
diff
changeset
|
88 |
'Any U WHERE NOT EXISTS(A todo_by U), A is Affaire') |
3ee80d487f11
[security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5886
diff
changeset
|
89 |
|
0 | 90 |
class SecurityTC(BaseSecurityTC): |
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
91 |
|
0 | 92 |
def setUp(self): |
93 |
BaseSecurityTC.setUp(self) |
|
94 |
# implicitly test manager can add some entities |
|
95 |
self.execute("INSERT Affaire X: X sujet 'cool'") |
|
96 |
self.execute("INSERT Societe X: X nom 'logilab'") |
|
97 |
self.execute("INSERT Personne X: X nom 'bidule'") |
|
1398
5fe84a5f7035
rename internal entity types to have CW prefix instead of E
sylvain.thenault@logilab.fr
parents:
389
diff
changeset
|
98 |
self.execute('INSERT CWGroup X: X name "staff"') |
0 | 99 |
self.commit() |
100 |
||
101 |
def test_insert_security(self): |
|
102 |
cnx = self.login('anon') |
|
103 |
cu = cnx.cursor() |
|
104 |
cu.execute("INSERT Personne X: X nom 'bidule'") |
|
105 |
self.assertRaises(Unauthorized, cnx.commit) |
|
106 |
self.assertEquals(cu.execute('Personne X').rowcount, 1) |
|
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
107 |
|
0 | 108 |
def test_insert_rql_permission(self): |
109 |
# test user can only add une affaire related to a societe he owns |
|
110 |
cnx = self.login('iaminusersgrouponly') |
|
111 |
cu = cnx.cursor() |
|
112 |
cu.execute("INSERT Affaire X: X sujet 'cool'") |
|
113 |
self.assertRaises(Unauthorized, cnx.commit) |
|
114 |
# test nothing has actually been inserted |
|
115 |
self.restore_connection() |
|
116 |
self.assertEquals(self.execute('Affaire X').rowcount, 1) |
|
117 |
cnx = self.login('iaminusersgrouponly') |
|
118 |
cu = cnx.cursor() |
|
119 |
cu.execute("INSERT Affaire X: X sujet 'cool'") |
|
120 |
cu.execute("INSERT Societe X: X nom 'chouette'") |
|
121 |
cu.execute("SET A concerne S WHERE A sujet 'cool', S nom 'chouette'") |
|
122 |
cnx.commit() |
|
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
123 |
|
0 | 124 |
def test_update_security_1(self): |
125 |
cnx = self.login('anon') |
|
126 |
cu = cnx.cursor() |
|
127 |
# local security check |
|
128 |
cu.execute( "SET X nom 'bidulechouette' WHERE X is Personne") |
|
129 |
self.assertRaises(Unauthorized, cnx.commit) |
|
130 |
self.restore_connection() |
|
131 |
self.assertEquals(self.execute('Personne X WHERE X nom "bidulechouette"').rowcount, 0) |
|
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
132 |
|
0 | 133 |
def test_update_security_2(self): |
134 |
cnx = self.login('anon') |
|
135 |
cu = cnx.cursor() |
|
3877
7ca53fc72a0a
reldefsecurity branch :
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3252
diff
changeset
|
136 |
self.repo.schema['Personne'].set_action_permissions('read', ('users', 'managers')) |
7ca53fc72a0a
reldefsecurity branch :
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3252
diff
changeset
|
137 |
self.repo.schema['Personne'].set_action_permissions('add', ('guests', 'users', 'managers')) |
0 | 138 |
self.assertRaises(Unauthorized, cu.execute, "SET X nom 'bidulechouette' WHERE X is Personne") |
139 |
#self.assertRaises(Unauthorized, cnx.commit) |
|
140 |
# test nothing has actually been inserted |
|
141 |
self.restore_connection() |
|
142 |
self.assertEquals(self.execute('Personne X WHERE X nom "bidulechouette"').rowcount, 0) |
|
143 |
||
144 |
def test_update_security_3(self): |
|
145 |
cnx = self.login('iaminusersgrouponly') |
|
146 |
cu = cnx.cursor() |
|
147 |
cu.execute("INSERT Personne X: X nom 'biduuule'") |
|
148 |
cu.execute("INSERT Societe X: X nom 'looogilab'") |
|
149 |
cu.execute("SET X travaille S WHERE X nom 'biduuule', S nom 'looogilab'") |
|
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
150 |
|
0 | 151 |
def test_update_rql_permission(self): |
152 |
self.execute("SET A concerne S WHERE A is Affaire, S is Societe") |
|
153 |
self.commit() |
|
154 |
# test user can only update une affaire related to a societe he owns |
|
155 |
cnx = self.login('iaminusersgrouponly') |
|
156 |
cu = cnx.cursor() |
|
157 |
cu.execute("SET X sujet 'pascool' WHERE X is Affaire") |
|
158 |
# this won't actually do anything since the selection query won't return anything |
|
159 |
cnx.commit() |
|
160 |
# to actually get Unauthorized exception, try to update an entity we can read |
|
161 |
cu.execute("SET X nom 'toto' WHERE X is Societe") |
|
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
162 |
self.assertRaises(Unauthorized, cnx.commit) |
0 | 163 |
cu.execute("INSERT Affaire X: X sujet 'pascool'") |
164 |
cu.execute("INSERT Societe X: X nom 'chouette'") |
|
165 |
cu.execute("SET A concerne S WHERE A sujet 'pascool', S nom 'chouette'") |
|
166 |
cu.execute("SET X sujet 'habahsicestcool' WHERE X sujet 'pascool'") |
|
167 |
cnx.commit() |
|
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
168 |
|
0 | 169 |
def test_delete_security(self): |
170 |
# FIXME: sample below fails because we don't detect "owner" can't delete |
|
171 |
# user anyway, and since no user with login == 'bidule' exists, no |
|
172 |
# exception is raised |
|
173 |
#user._groups = {'guests':1} |
|
174 |
#self.assertRaises(Unauthorized, |
|
1398
5fe84a5f7035
rename internal entity types to have CW prefix instead of E
sylvain.thenault@logilab.fr
parents:
389
diff
changeset
|
175 |
# self.o.execute, user, "DELETE CWUser X WHERE X login 'bidule'") |
0 | 176 |
# check local security |
177 |
cnx = self.login('iaminusersgrouponly') |
|
178 |
cu = cnx.cursor() |
|
1398
5fe84a5f7035
rename internal entity types to have CW prefix instead of E
sylvain.thenault@logilab.fr
parents:
389
diff
changeset
|
179 |
self.assertRaises(Unauthorized, cu.execute, "DELETE CWGroup Y WHERE Y name 'staff'") |
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
180 |
|
0 | 181 |
def test_delete_rql_permission(self): |
182 |
self.execute("SET A concerne S WHERE A is Affaire, S is Societe") |
|
183 |
self.commit() |
|
184 |
# test user can only dele une affaire related to a societe he owns |
|
185 |
cnx = self.login('iaminusersgrouponly') |
|
186 |
cu = cnx.cursor() |
|
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
187 |
# this won't actually do anything since the selection query won't return anything |
0 | 188 |
cu.execute("DELETE Affaire X") |
189 |
cnx.commit() |
|
190 |
# to actually get Unauthorized exception, try to delete an entity we can read |
|
191 |
self.assertRaises(Unauthorized, cu.execute, "DELETE Societe S") |
|
192 |
cu.execute("INSERT Affaire X: X sujet 'pascool'") |
|
193 |
cu.execute("INSERT Societe X: X nom 'chouette'") |
|
194 |
cu.execute("SET A concerne S WHERE A sujet 'pascool', S nom 'chouette'") |
|
195 |
cnx.commit() |
|
196 |
## # this one should fail since it will try to delete two affaires, one authorized |
|
197 |
## # and the other not |
|
198 |
## self.assertRaises(Unauthorized, cu.execute, "DELETE Affaire X") |
|
199 |
cu.execute("DELETE Affaire X WHERE X sujet 'pascool'") |
|
200 |
cnx.commit() |
|
201 |
||
202 |
||
203 |
def test_insert_relation_rql_permission(self): |
|
204 |
cnx = self.login('iaminusersgrouponly') |
|
2773
b2530e3e0afb
[testlib] #345052 and #344207: major test lib refactoring/cleanup + update usage
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2608
diff
changeset
|
205 |
session = self.session |
0 | 206 |
cu = cnx.cursor(session) |
207 |
cu.execute("SET A concerne S WHERE A is Affaire, S is Societe") |
|
208 |
# should raise Unauthorized since user don't own S |
|
209 |
# though this won't actually do anything since the selection query won't return anything |
|
210 |
cnx.commit() |
|
211 |
# to actually get Unauthorized exception, try to insert a relation were we can read both entities |
|
212 |
rset = cu.execute('Personne P') |
|
213 |
self.assertEquals(len(rset), 1) |
|
214 |
ent = rset.get_entity(0, 0) |
|
215 |
session.set_pool() # necessary |
|
5557
1a534c596bff
[entity] continue cleanup of Entity/AnyEntity namespace
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5556
diff
changeset
|
216 |
self.assertRaises(Unauthorized, ent.cw_check_perm, 'update') |
0 | 217 |
self.assertRaises(Unauthorized, |
218 |
cu.execute, "SET P travaille S WHERE P is Personne, S is Societe") |
|
219 |
# test nothing has actually been inserted: |
|
220 |
self.assertEquals(cu.execute('Any P,S WHERE P travaille S,P is Personne, S is Societe').rowcount, 0) |
|
221 |
cu.execute("INSERT Societe X: X nom 'chouette'") |
|
222 |
cu.execute("SET A concerne S WHERE A is Affaire, S nom 'chouette'") |
|
223 |
cnx.commit() |
|
224 |
||
225 |
def test_delete_relation_rql_permission(self): |
|
226 |
self.execute("SET A concerne S WHERE A is Affaire, S is Societe") |
|
227 |
self.commit() |
|
228 |
cnx = self.login('iaminusersgrouponly') |
|
229 |
cu = cnx.cursor() |
|
230 |
# this won't actually do anything since the selection query won't return anything |
|
231 |
cu.execute("DELETE A concerne S") |
|
232 |
cnx.commit() |
|
233 |
# to actually get Unauthorized exception, try to delete a relation we can read |
|
234 |
self.restore_connection() |
|
235 |
eid = self.execute("INSERT Affaire X: X sujet 'pascool'")[0][0] |
|
5174
78438ad513ca
#759035: Automate addition of eid cachekey in RQL analysis
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4915
diff
changeset
|
236 |
self.execute('SET X owned_by U WHERE X eid %(x)s, U login "iaminusersgrouponly"', {'x': eid}) |
0 | 237 |
self.execute("SET A concerne S WHERE A sujet 'pascool', S is Societe") |
238 |
self.commit() |
|
239 |
cnx = self.login('iaminusersgrouponly') |
|
240 |
cu = cnx.cursor() |
|
241 |
self.assertRaises(Unauthorized, cu.execute, "DELETE A concerne S") |
|
242 |
cu.execute("INSERT Societe X: X nom 'chouette'") |
|
243 |
cu.execute("SET A concerne S WHERE A is Affaire, S nom 'chouette'") |
|
244 |
cnx.commit() |
|
245 |
cu.execute("DELETE A concerne S WHERE S nom 'chouette'") |
|
246 |
||
247 |
||
248 |
def test_user_can_change_its_upassword(self): |
|
2773
b2530e3e0afb
[testlib] #345052 and #344207: major test lib refactoring/cleanup + update usage
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2608
diff
changeset
|
249 |
ueid = self.create_user('user').eid |
0 | 250 |
cnx = self.login('user') |
251 |
cu = cnx.cursor() |
|
252 |
cu.execute('SET X upassword %(passwd)s WHERE X eid %(x)s', |
|
5174
78438ad513ca
#759035: Automate addition of eid cachekey in RQL analysis
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4915
diff
changeset
|
253 |
{'x': ueid, 'passwd': 'newpwd'}) |
0 | 254 |
cnx.commit() |
255 |
cnx.close() |
|
4191
01638461d4b0
test update. All cw tests OK
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3890
diff
changeset
|
256 |
cnx = self.login('user', password='newpwd') |
0 | 257 |
|
258 |
def test_user_cant_change_other_upassword(self): |
|
2773
b2530e3e0afb
[testlib] #345052 and #344207: major test lib refactoring/cleanup + update usage
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2608
diff
changeset
|
259 |
ueid = self.create_user('otheruser').eid |
0 | 260 |
cnx = self.login('iaminusersgrouponly') |
261 |
cu = cnx.cursor() |
|
262 |
cu.execute('SET X upassword %(passwd)s WHERE X eid %(x)s', |
|
5174
78438ad513ca
#759035: Automate addition of eid cachekey in RQL analysis
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4915
diff
changeset
|
263 |
{'x': ueid, 'passwd': 'newpwd'}) |
0 | 264 |
self.assertRaises(Unauthorized, cnx.commit) |
265 |
||
266 |
# read security test |
|
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
267 |
|
0 | 268 |
def test_read_base(self): |
3877
7ca53fc72a0a
reldefsecurity branch :
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3252
diff
changeset
|
269 |
self.schema['Personne'].set_action_permissions('read', ('users', 'managers')) |
0 | 270 |
cnx = self.login('anon') |
271 |
cu = cnx.cursor() |
|
272 |
self.assertRaises(Unauthorized, |
|
273 |
cu.execute, 'Personne U where U nom "managers"') |
|
274 |
||
321
247947250382
fix security bug w/ query using 'NOT X eid 123'
Sylvain Thenault <sylvain.thenault@logilab.fr>
parents:
0
diff
changeset
|
275 |
def test_read_erqlexpr_base(self): |
0 | 276 |
eid = self.execute("INSERT Affaire X: X sujet 'cool'")[0][0] |
277 |
self.commit() |
|
278 |
cnx = self.login('iaminusersgrouponly') |
|
279 |
cu = cnx.cursor() |
|
280 |
rset = cu.execute('Affaire X') |
|
281 |
self.assertEquals(rset.rows, []) |
|
5174
78438ad513ca
#759035: Automate addition of eid cachekey in RQL analysis
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4915
diff
changeset
|
282 |
self.assertRaises(Unauthorized, cu.execute, 'Any X WHERE X eid %(x)s', {'x': eid}) |
321
247947250382
fix security bug w/ query using 'NOT X eid 123'
Sylvain Thenault <sylvain.thenault@logilab.fr>
parents:
0
diff
changeset
|
283 |
# cache test |
5174
78438ad513ca
#759035: Automate addition of eid cachekey in RQL analysis
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4915
diff
changeset
|
284 |
self.assertRaises(Unauthorized, cu.execute, 'Any X WHERE X eid %(x)s', {'x': eid}) |
0 | 285 |
aff2 = cu.execute("INSERT Affaire X: X sujet 'cool'")[0][0] |
286 |
soc1 = cu.execute("INSERT Societe X: X nom 'chouette'")[0][0] |
|
287 |
cu.execute("SET A concerne S WHERE A is Affaire, S is Societe") |
|
288 |
cnx.commit() |
|
5174
78438ad513ca
#759035: Automate addition of eid cachekey in RQL analysis
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4915
diff
changeset
|
289 |
rset = cu.execute('Any X WHERE X eid %(x)s', {'x': aff2}) |
0 | 290 |
self.assertEquals(rset.rows, [[aff2]]) |
321
247947250382
fix security bug w/ query using 'NOT X eid 123'
Sylvain Thenault <sylvain.thenault@logilab.fr>
parents:
0
diff
changeset
|
291 |
# more cache test w/ NOT eid |
5174
78438ad513ca
#759035: Automate addition of eid cachekey in RQL analysis
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4915
diff
changeset
|
292 |
rset = cu.execute('Affaire X WHERE NOT X eid %(x)s', {'x': eid}) |
389 | 293 |
self.assertEquals(rset.rows, [[aff2]]) |
5174
78438ad513ca
#759035: Automate addition of eid cachekey in RQL analysis
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4915
diff
changeset
|
294 |
rset = cu.execute('Affaire X WHERE NOT X eid %(x)s', {'x': aff2}) |
321
247947250382
fix security bug w/ query using 'NOT X eid 123'
Sylvain Thenault <sylvain.thenault@logilab.fr>
parents:
0
diff
changeset
|
295 |
self.assertEquals(rset.rows, []) |
4765 | 296 |
# test can't update an attribute of an entity that can't be readen |
5174
78438ad513ca
#759035: Automate addition of eid cachekey in RQL analysis
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4915
diff
changeset
|
297 |
self.assertRaises(Unauthorized, cu.execute, 'SET X sujet "hacked" WHERE X eid %(x)s', {'x': eid}) |
4765 | 298 |
|
299 |
||
300 |
def test_entity_created_in_transaction(self): |
|
301 |
affschema = self.schema['Affaire'] |
|
302 |
origperms = affschema.permissions['read'] |
|
303 |
affschema.set_action_permissions('read', affschema.permissions['add']) |
|
304 |
try: |
|
305 |
cnx = self.login('iaminusersgrouponly') |
|
306 |
cu = cnx.cursor() |
|
307 |
aff2 = cu.execute("INSERT Affaire X: X sujet 'cool'")[0][0] |
|
308 |
# entity created in transaction are readable *by eid* |
|
5174
78438ad513ca
#759035: Automate addition of eid cachekey in RQL analysis
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4915
diff
changeset
|
309 |
self.failUnless(cu.execute('Any X WHERE X eid %(x)s', {'x':aff2})) |
4765 | 310 |
# XXX would be nice if it worked |
311 |
rset = cu.execute("Affaire X WHERE X sujet 'cool'") |
|
312 |
self.assertEquals(len(rset), 0) |
|
313 |
finally: |
|
314 |
affschema.set_action_permissions('read', origperms) |
|
315 |
cnx.close() |
|
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
316 |
|
0 | 317 |
def test_read_erqlexpr_has_text1(self): |
318 |
aff1 = self.execute("INSERT Affaire X: X sujet 'cool'")[0][0] |
|
319 |
card1 = self.execute("INSERT Card X: X title 'cool'")[0][0] |
|
5174
78438ad513ca
#759035: Automate addition of eid cachekey in RQL analysis
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4915
diff
changeset
|
320 |
self.execute('SET X owned_by U WHERE X eid %(x)s, U login "iaminusersgrouponly"', {'x': card1}) |
0 | 321 |
self.commit() |
322 |
cnx = self.login('iaminusersgrouponly') |
|
323 |
cu = cnx.cursor() |
|
2920
64322aa83a1d
start a new workflow engine
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2608
diff
changeset
|
324 |
aff2 = cu.execute("INSERT Affaire X: X sujet 'cool'")[0][0] |
0 | 325 |
soc1 = cu.execute("INSERT Societe X: X nom 'chouette'")[0][0] |
5174
78438ad513ca
#759035: Automate addition of eid cachekey in RQL analysis
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4915
diff
changeset
|
326 |
cu.execute("SET A concerne S WHERE A eid %(a)s, S eid %(s)s", {'a': aff2, 's': soc1}) |
0 | 327 |
cnx.commit() |
5174
78438ad513ca
#759035: Automate addition of eid cachekey in RQL analysis
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4915
diff
changeset
|
328 |
self.assertRaises(Unauthorized, cu.execute, 'Any X WHERE X eid %(x)s', {'x':aff1}) |
78438ad513ca
#759035: Automate addition of eid cachekey in RQL analysis
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4915
diff
changeset
|
329 |
self.failUnless(cu.execute('Any X WHERE X eid %(x)s', {'x':aff2})) |
78438ad513ca
#759035: Automate addition of eid cachekey in RQL analysis
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4915
diff
changeset
|
330 |
self.failUnless(cu.execute('Any X WHERE X eid %(x)s', {'x':card1})) |
0 | 331 |
rset = cu.execute("Any X WHERE X has_text 'cool'") |
332 |
self.assertEquals(sorted(eid for eid, in rset.rows), |
|
333 |
[card1, aff2]) |
|
334 |
||
335 |
def test_read_erqlexpr_has_text2(self): |
|
336 |
self.execute("INSERT Personne X: X nom 'bidule'") |
|
337 |
self.execute("INSERT Societe X: X nom 'bidule'") |
|
338 |
self.commit() |
|
3877
7ca53fc72a0a
reldefsecurity branch :
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3252
diff
changeset
|
339 |
self.schema['Personne'].set_action_permissions('read', ('managers',)) |
0 | 340 |
cnx = self.login('iaminusersgrouponly') |
341 |
cu = cnx.cursor() |
|
342 |
rset = cu.execute('Any N WHERE N has_text "bidule"') |
|
343 |
self.assertEquals(len(rset.rows), 1, rset.rows) |
|
344 |
rset = cu.execute('Any N WITH N BEING (Any N WHERE N has_text "bidule")') |
|
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
345 |
self.assertEquals(len(rset.rows), 1, rset.rows) |
0 | 346 |
|
347 |
def test_read_erqlexpr_optional_rel(self): |
|
348 |
self.execute("INSERT Personne X: X nom 'bidule'") |
|
349 |
self.execute("INSERT Societe X: X nom 'bidule'") |
|
350 |
self.commit() |
|
3877
7ca53fc72a0a
reldefsecurity branch :
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3252
diff
changeset
|
351 |
self.schema['Personne'].set_action_permissions('read', ('managers',)) |
0 | 352 |
cnx = self.login('anon') |
353 |
cu = cnx.cursor() |
|
354 |
rset = cu.execute('Any N,U WHERE N has_text "bidule", N owned_by U?') |
|
355 |
self.assertEquals(len(rset.rows), 1, rset.rows) |
|
356 |
||
357 |
def test_read_erqlexpr_aggregat(self): |
|
358 |
self.execute("INSERT Affaire X: X sujet 'cool'")[0][0] |
|
359 |
self.commit() |
|
360 |
cnx = self.login('iaminusersgrouponly') |
|
361 |
cu = cnx.cursor() |
|
362 |
rset = cu.execute('Any COUNT(X) WHERE X is Affaire') |
|
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
363 |
self.assertEquals(rset.rows, [[0]]) |
0 | 364 |
aff2 = cu.execute("INSERT Affaire X: X sujet 'cool'")[0][0] |
365 |
soc1 = cu.execute("INSERT Societe X: X nom 'chouette'")[0][0] |
|
366 |
cu.execute("SET A concerne S WHERE A is Affaire, S is Societe") |
|
367 |
cnx.commit() |
|
368 |
rset = cu.execute('Any COUNT(X) WHERE X is Affaire') |
|
369 |
self.assertEquals(rset.rows, [[1]]) |
|
370 |
rset = cu.execute('Any ETN, COUNT(X) GROUPBY ETN WHERE X is ET, ET name ETN') |
|
371 |
values = dict(rset) |
|
372 |
self.assertEquals(values['Affaire'], 1) |
|
373 |
self.assertEquals(values['Societe'], 2) |
|
374 |
rset = cu.execute('Any ETN, COUNT(X) GROUPBY ETN WHERE X is ET, ET name ETN WITH X BEING ((Affaire X) UNION (Societe X))') |
|
375 |
self.assertEquals(len(rset), 2) |
|
376 |
values = dict(rset) |
|
377 |
self.assertEquals(values['Affaire'], 1) |
|
378 |
self.assertEquals(values['Societe'], 2) |
|
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
379 |
|
0 | 380 |
|
381 |
def test_attribute_security(self): |
|
382 |
# only managers should be able to edit the 'test' attribute of Personne entities |
|
383 |
eid = self.execute("INSERT Personne X: X nom 'bidule', X web 'http://www.debian.org', X test TRUE")[0][0] |
|
384 |
self.commit() |
|
5174
78438ad513ca
#759035: Automate addition of eid cachekey in RQL analysis
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4915
diff
changeset
|
385 |
self.execute('SET X test FALSE WHERE X eid %(x)s', {'x': eid}) |
0 | 386 |
self.commit() |
387 |
cnx = self.login('iaminusersgrouponly') |
|
388 |
cu = cnx.cursor() |
|
389 |
cu.execute("INSERT Personne X: X nom 'bidule', X web 'http://www.debian.org', X test TRUE") |
|
390 |
self.assertRaises(Unauthorized, cnx.commit) |
|
391 |
cu.execute("INSERT Personne X: X nom 'bidule', X web 'http://www.debian.org', X test FALSE") |
|
392 |
self.assertRaises(Unauthorized, cnx.commit) |
|
393 |
eid = cu.execute("INSERT Personne X: X nom 'bidule', X web 'http://www.debian.org'")[0][0] |
|
394 |
cnx.commit() |
|
5174
78438ad513ca
#759035: Automate addition of eid cachekey in RQL analysis
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4915
diff
changeset
|
395 |
cu.execute('SET X test FALSE WHERE X eid %(x)s', {'x': eid}) |
0 | 396 |
self.assertRaises(Unauthorized, cnx.commit) |
5174
78438ad513ca
#759035: Automate addition of eid cachekey in RQL analysis
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4915
diff
changeset
|
397 |
cu.execute('SET X test TRUE WHERE X eid %(x)s', {'x': eid}) |
0 | 398 |
self.assertRaises(Unauthorized, cnx.commit) |
5174
78438ad513ca
#759035: Automate addition of eid cachekey in RQL analysis
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4915
diff
changeset
|
399 |
cu.execute('SET X web "http://www.logilab.org" WHERE X eid %(x)s', {'x': eid}) |
0 | 400 |
cnx.commit() |
401 |
cnx.close() |
|
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
402 |
|
0 | 403 |
def test_attribute_security_rqlexpr(self): |
404 |
# Note.para attribute editable by managers or if the note is in "todo" state |
|
2920
64322aa83a1d
start a new workflow engine
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2608
diff
changeset
|
405 |
note = self.execute("INSERT Note X: X para 'bidule'").get_entity(0, 0) |
0 | 406 |
self.commit() |
5556
9ab2b4c74baf
[entity] introduce a new 'adapters' registry
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5426
diff
changeset
|
407 |
note.cw_adapt_to('IWorkflowable').fire_transition('markasdone') |
5174
78438ad513ca
#759035: Automate addition of eid cachekey in RQL analysis
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4915
diff
changeset
|
408 |
self.execute('SET X para "truc" WHERE X eid %(x)s', {'x': note.eid}) |
0 | 409 |
self.commit() |
410 |
cnx = self.login('iaminusersgrouponly') |
|
411 |
cu = cnx.cursor() |
|
5174
78438ad513ca
#759035: Automate addition of eid cachekey in RQL analysis
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4915
diff
changeset
|
412 |
cu.execute("SET X para 'chouette' WHERE X eid %(x)s", {'x': note.eid}) |
0 | 413 |
self.assertRaises(Unauthorized, cnx.commit) |
2920
64322aa83a1d
start a new workflow engine
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2608
diff
changeset
|
414 |
note2 = cu.execute("INSERT Note X: X para 'bidule'").get_entity(0, 0) |
0 | 415 |
cnx.commit() |
5556
9ab2b4c74baf
[entity] introduce a new 'adapters' registry
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5426
diff
changeset
|
416 |
note2.cw_adapt_to('IWorkflowable').fire_transition('markasdone') |
0 | 417 |
cnx.commit() |
5174
78438ad513ca
#759035: Automate addition of eid cachekey in RQL analysis
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4915
diff
changeset
|
418 |
self.assertEquals(len(cu.execute('Any X WHERE X in_state S, S name "todo", X eid %(x)s', {'x': note2.eid})), |
0 | 419 |
0) |
5174
78438ad513ca
#759035: Automate addition of eid cachekey in RQL analysis
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4915
diff
changeset
|
420 |
cu.execute("SET X para 'chouette' WHERE X eid %(x)s", {'x': note2.eid}) |
0 | 421 |
self.assertRaises(Unauthorized, cnx.commit) |
5556
9ab2b4c74baf
[entity] introduce a new 'adapters' registry
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5426
diff
changeset
|
422 |
note2.cw_adapt_to('IWorkflowable').fire_transition('redoit') |
0 | 423 |
cnx.commit() |
5174
78438ad513ca
#759035: Automate addition of eid cachekey in RQL analysis
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4915
diff
changeset
|
424 |
cu.execute("SET X para 'chouette' WHERE X eid %(x)s", {'x': note2.eid}) |
0 | 425 |
cnx.commit() |
426 |
||
427 |
def test_attribute_read_security(self): |
|
428 |
# anon not allowed to see users'login, but they can see users |
|
3877
7ca53fc72a0a
reldefsecurity branch :
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3252
diff
changeset
|
429 |
self.repo.schema['CWUser'].set_action_permissions('read', ('guests', 'users', 'managers')) |
7ca53fc72a0a
reldefsecurity branch :
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3252
diff
changeset
|
430 |
self.repo.schema['CWUser'].rdef('login').set_action_permissions('read', ('users', 'managers')) |
0 | 431 |
cnx = self.login('anon') |
432 |
cu = cnx.cursor() |
|
1398
5fe84a5f7035
rename internal entity types to have CW prefix instead of E
sylvain.thenault@logilab.fr
parents:
389
diff
changeset
|
433 |
rset = cu.execute('CWUser X') |
0 | 434 |
self.failUnless(rset) |
435 |
x = rset.get_entity(0, 0) |
|
436 |
self.assertEquals(x.login, None) |
|
437 |
self.failUnless(x.creation_date) |
|
438 |
x = rset.get_entity(1, 0) |
|
439 |
x.complete() |
|
440 |
self.assertEquals(x.login, None) |
|
441 |
self.failUnless(x.creation_date) |
|
442 |
cnx.rollback() |
|
443 |
||
444 |
class BaseSchemaSecurityTC(BaseSecurityTC): |
|
445 |
"""tests related to the base schema permission configuration""" |
|
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
446 |
|
0 | 447 |
def test_user_can_delete_object_he_created(self): |
448 |
# even if some other user have changed object'state |
|
449 |
cnx = self.login('iaminusersgrouponly') |
|
450 |
cu = cnx.cursor() |
|
451 |
# due to security test, affaire has to concerne a societe the user owns |
|
452 |
cu.execute('INSERT Societe X: X nom "ARCTIA"') |
|
453 |
cu.execute('INSERT Affaire X: X ref "ARCT01", X concerne S WHERE S nom "ARCTIA"') |
|
454 |
cnx.commit() |
|
455 |
self.restore_connection() |
|
2920
64322aa83a1d
start a new workflow engine
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2608
diff
changeset
|
456 |
affaire = self.execute('Any X WHERE X ref "ARCT01"').get_entity(0, 0) |
5556
9ab2b4c74baf
[entity] introduce a new 'adapters' registry
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5426
diff
changeset
|
457 |
affaire.cw_adapt_to('IWorkflowable').fire_transition('abort') |
0 | 458 |
self.commit() |
459 |
self.assertEquals(len(self.execute('TrInfo X WHERE X wf_info_for A, A ref "ARCT01"')), |
|
2920
64322aa83a1d
start a new workflow engine
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2608
diff
changeset
|
460 |
1) |
0 | 461 |
self.assertEquals(len(self.execute('TrInfo X WHERE X wf_info_for A, A ref "ARCT01",' |
462 |
'X owned_by U, U login "admin"')), |
|
463 |
1) # TrInfo at the above state change |
|
464 |
cnx = self.login('iaminusersgrouponly') |
|
465 |
cu = cnx.cursor() |
|
466 |
cu.execute('DELETE Affaire X WHERE X ref "ARCT01"') |
|
467 |
cnx.commit() |
|
468 |
self.failIf(cu.execute('Affaire X')) |
|
469 |
||
470 |
def test_users_and_groups_non_readable_by_guests(self): |
|
471 |
cnx = self.login('anon') |
|
2773
b2530e3e0afb
[testlib] #345052 and #344207: major test lib refactoring/cleanup + update usage
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2608
diff
changeset
|
472 |
anon = cnx.user(self.session) |
0 | 473 |
cu = cnx.cursor() |
474 |
# anonymous user can only read itself |
|
475 |
rset = cu.execute('Any L WHERE X owned_by U, U login L') |
|
476 |
self.assertEquals(rset.rows, [['anon']]) |
|
1398
5fe84a5f7035
rename internal entity types to have CW prefix instead of E
sylvain.thenault@logilab.fr
parents:
389
diff
changeset
|
477 |
rset = cu.execute('CWUser X') |
0 | 478 |
self.assertEquals(rset.rows, [[anon.eid]]) |
479 |
# anonymous user can read groups (necessary to check allowed transitions for instance) |
|
1398
5fe84a5f7035
rename internal entity types to have CW prefix instead of E
sylvain.thenault@logilab.fr
parents:
389
diff
changeset
|
480 |
self.assert_(cu.execute('CWGroup X')) |
0 | 481 |
# should only be able to read the anonymous user, not another one |
2773
b2530e3e0afb
[testlib] #345052 and #344207: major test lib refactoring/cleanup + update usage
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2608
diff
changeset
|
482 |
origuser = self.adminsession.user |
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
483 |
self.assertRaises(Unauthorized, |
5174
78438ad513ca
#759035: Automate addition of eid cachekey in RQL analysis
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4915
diff
changeset
|
484 |
cu.execute, 'CWUser X WHERE X eid %(x)s', {'x': origuser.eid}) |
0 | 485 |
# nothing selected, nothing updated, no exception raised |
486 |
#self.assertRaises(Unauthorized, |
|
487 |
# cu.execute, 'SET X login "toto" WHERE X eid %(x)s', |
|
488 |
# {'x': self.user.eid}) |
|
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
489 |
|
5174
78438ad513ca
#759035: Automate addition of eid cachekey in RQL analysis
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4915
diff
changeset
|
490 |
rset = cu.execute('CWUser X WHERE X eid %(x)s', {'x': anon.eid}) |
0 | 491 |
self.assertEquals(rset.rows, [[anon.eid]]) |
492 |
# but can't modify it |
|
4915
d657b89df9f4
fix test broken by recent rql rewrite / querier changes
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4787
diff
changeset
|
493 |
cu.execute('SET X login "toto" WHERE X eid %(x)s', {'x': anon.eid}) |
d657b89df9f4
fix test broken by recent rql rewrite / querier changes
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4787
diff
changeset
|
494 |
self.assertRaises(Unauthorized, cnx.commit) |
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
495 |
|
0 | 496 |
def test_in_group_relation(self): |
497 |
cnx = self.login('iaminusersgrouponly') |
|
498 |
cu = cnx.cursor() |
|
499 |
rql = u"DELETE U in_group G WHERE U login 'admin'" |
|
500 |
self.assertRaises(Unauthorized, cu.execute, rql) |
|
501 |
rql = u"SET U in_group G WHERE U login 'admin', G name 'users'" |
|
502 |
self.assertRaises(Unauthorized, cu.execute, rql) |
|
503 |
||
504 |
def test_owned_by(self): |
|
505 |
self.execute("INSERT Personne X: X nom 'bidule'") |
|
506 |
self.commit() |
|
507 |
cnx = self.login('iaminusersgrouponly') |
|
508 |
cu = cnx.cursor() |
|
509 |
rql = u"SET X owned_by U WHERE U login 'iaminusersgrouponly', X is Personne" |
|
510 |
self.assertRaises(Unauthorized, cu.execute, rql) |
|
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
511 |
|
0 | 512 |
def test_bookmarked_by_guests_security(self): |
513 |
beid1 = self.execute('INSERT Bookmark B: B path "?vid=manage", B title "manage"')[0][0] |
|
514 |
beid2 = self.execute('INSERT Bookmark B: B path "?vid=index", B title "index", B bookmarked_by U WHERE U login "anon"')[0][0] |
|
515 |
self.commit() |
|
516 |
cnx = self.login('anon') |
|
517 |
cu = cnx.cursor() |
|
2773
b2530e3e0afb
[testlib] #345052 and #344207: major test lib refactoring/cleanup + update usage
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2608
diff
changeset
|
518 |
anoneid = self.session.user.eid |
0 | 519 |
self.assertEquals(cu.execute('Any T,P ORDERBY lower(T) WHERE B is Bookmark,B title T,B path P,' |
520 |
'B bookmarked_by U, U eid %s' % anoneid).rows, |
|
521 |
[['index', '?vid=index']]) |
|
522 |
self.assertEquals(cu.execute('Any T,P ORDERBY lower(T) WHERE B is Bookmark,B title T,B path P,' |
|
523 |
'B bookmarked_by U, U eid %(x)s', {'x': anoneid}).rows, |
|
524 |
[['index', '?vid=index']]) |
|
525 |
# can read others bookmarks as well |
|
526 |
self.assertEquals(cu.execute('Any B where B is Bookmark, NOT B bookmarked_by U').rows, |
|
527 |
[[beid1]]) |
|
528 |
self.assertRaises(Unauthorized, cu.execute,'DELETE B bookmarked_by U') |
|
529 |
self.assertRaises(Unauthorized, |
|
530 |
cu.execute, 'SET B bookmarked_by U WHERE U eid %(x)s, B eid %(b)s', |
|
5174
78438ad513ca
#759035: Automate addition of eid cachekey in RQL analysis
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4915
diff
changeset
|
531 |
{'x': anoneid, 'b': beid1}) |
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
532 |
|
0 | 533 |
|
534 |
def test_ambigous_ordered(self): |
|
535 |
cnx = self.login('anon') |
|
536 |
cu = cnx.cursor() |
|
537 |
names = [t for t, in cu.execute('Any N ORDERBY lower(N) WHERE X name N')] |
|
538 |
self.assertEquals(names, sorted(names, key=lambda x: x.lower())) |
|
539 |
||
540 |
def test_in_state_without_update_perm(self): |
|
541 |
"""check a user change in_state without having update permission on the |
|
542 |
subject |
|
543 |
""" |
|
544 |
eid = self.execute('INSERT Affaire X: X ref "ARCT01"')[0][0] |
|
545 |
self.commit() |
|
546 |
cnx = self.login('iaminusersgrouponly') |
|
2773
b2530e3e0afb
[testlib] #345052 and #344207: major test lib refactoring/cleanup + update usage
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2608
diff
changeset
|
547 |
session = self.session |
0 | 548 |
# needed to avoid check_perm error |
549 |
session.set_pool() |
|
550 |
# needed to remove rql expr granting update perm to the user |
|
4691
ae468fae9965
[test] fix test inter-dependancies pb. Pytest ok in each individual test dir, though not yet for whole cubicweb, but for different reasons
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4191
diff
changeset
|
551 |
affaire_perms = self.schema['Affaire'].permissions.copy() |
3877
7ca53fc72a0a
reldefsecurity branch :
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
3252
diff
changeset
|
552 |
self.schema['Affaire'].set_action_permissions('update', self.schema['Affaire'].get_groups('update')) |
2920
64322aa83a1d
start a new workflow engine
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2608
diff
changeset
|
553 |
try: |
4691
ae468fae9965
[test] fix test inter-dependancies pb. Pytest ok in each individual test dir, though not yet for whole cubicweb, but for different reasons
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4191
diff
changeset
|
554 |
self.assertRaises(Unauthorized, |
ae468fae9965
[test] fix test inter-dependancies pb. Pytest ok in each individual test dir, though not yet for whole cubicweb, but for different reasons
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4191
diff
changeset
|
555 |
self.schema['Affaire'].check_perm, session, 'update', eid=eid) |
ae468fae9965
[test] fix test inter-dependancies pb. Pytest ok in each individual test dir, though not yet for whole cubicweb, but for different reasons
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4191
diff
changeset
|
556 |
cu = cnx.cursor() |
ae468fae9965
[test] fix test inter-dependancies pb. Pytest ok in each individual test dir, though not yet for whole cubicweb, but for different reasons
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4191
diff
changeset
|
557 |
self.schema['Affaire'].set_action_permissions('read', ('users',)) |
2920
64322aa83a1d
start a new workflow engine
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2608
diff
changeset
|
558 |
aff = cu.execute('Any X WHERE X ref "ARCT01"').get_entity(0, 0) |
5556
9ab2b4c74baf
[entity] introduce a new 'adapters' registry
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5426
diff
changeset
|
559 |
aff.cw_adapt_to('IWorkflowable').fire_transition('abort') |
2920
64322aa83a1d
start a new workflow engine
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2608
diff
changeset
|
560 |
cnx.commit() |
64322aa83a1d
start a new workflow engine
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2608
diff
changeset
|
561 |
# though changing a user state (even logged user) is reserved to managers |
3447 | 562 |
user = cnx.user(self.session) |
2920
64322aa83a1d
start a new workflow engine
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2608
diff
changeset
|
563 |
# XXX wether it should raise Unauthorized or ValidationError is not clear |
64322aa83a1d
start a new workflow engine
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2608
diff
changeset
|
564 |
# the best would probably ValidationError if the transition doesn't exist |
64322aa83a1d
start a new workflow engine
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2608
diff
changeset
|
565 |
# from the current state but Unauthorized if it exists but user can't pass it |
5556
9ab2b4c74baf
[entity] introduce a new 'adapters' registry
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5426
diff
changeset
|
566 |
self.assertRaises(ValidationError, |
9ab2b4c74baf
[entity] introduce a new 'adapters' registry
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5426
diff
changeset
|
567 |
user.cw_adapt_to('IWorkflowable').fire_transition, 'deactivate') |
2920
64322aa83a1d
start a new workflow engine
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2608
diff
changeset
|
568 |
finally: |
4691
ae468fae9965
[test] fix test inter-dependancies pb. Pytest ok in each individual test dir, though not yet for whole cubicweb, but for different reasons
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4191
diff
changeset
|
569 |
# restore orig perms |
ae468fae9965
[test] fix test inter-dependancies pb. Pytest ok in each individual test dir, though not yet for whole cubicweb, but for different reasons
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4191
diff
changeset
|
570 |
for action, perms in affaire_perms.iteritems(): |
ae468fae9965
[test] fix test inter-dependancies pb. Pytest ok in each individual test dir, though not yet for whole cubicweb, but for different reasons
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4191
diff
changeset
|
571 |
self.schema['Affaire'].set_action_permissions(action, perms) |
1802
d628defebc17
delete-trailing-whitespace + some copyright update
Adrien Di Mascio <Adrien.DiMascio@logilab.fr>
parents:
1398
diff
changeset
|
572 |
|
2501
fa86d99c2c3a
test and fix wf history security
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2500
diff
changeset
|
573 |
def test_trinfo_security(self): |
fa86d99c2c3a
test and fix wf history security
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2500
diff
changeset
|
574 |
aff = self.execute('INSERT Affaire X: X ref "ARCT01"').get_entity(0, 0) |
5556
9ab2b4c74baf
[entity] introduce a new 'adapters' registry
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5426
diff
changeset
|
575 |
iworkflowable = aff.cw_adapt_to('IWorkflowable') |
2501
fa86d99c2c3a
test and fix wf history security
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2500
diff
changeset
|
576 |
self.commit() |
5556
9ab2b4c74baf
[entity] introduce a new 'adapters' registry
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5426
diff
changeset
|
577 |
iworkflowable.fire_transition('abort') |
2920
64322aa83a1d
start a new workflow engine
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2608
diff
changeset
|
578 |
self.commit() |
2501
fa86d99c2c3a
test and fix wf history security
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2500
diff
changeset
|
579 |
# can change tr info comment |
fa86d99c2c3a
test and fix wf history security
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2500
diff
changeset
|
580 |
self.execute('SET TI comment %(c)s WHERE TI wf_info_for X, X ref "ARCT01"', |
2920
64322aa83a1d
start a new workflow engine
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2608
diff
changeset
|
581 |
{'c': u'bouh!'}) |
2501
fa86d99c2c3a
test and fix wf history security
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2500
diff
changeset
|
582 |
self.commit() |
5557
1a534c596bff
[entity] continue cleanup of Entity/AnyEntity namespace
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5556
diff
changeset
|
583 |
aff.cw_clear_relation_cache('wf_info_for', 'object') |
5556
9ab2b4c74baf
[entity] introduce a new 'adapters' registry
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5426
diff
changeset
|
584 |
trinfo = iworkflowable.latest_trinfo() |
2920
64322aa83a1d
start a new workflow engine
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2608
diff
changeset
|
585 |
self.assertEquals(trinfo.comment, 'bouh!') |
2501
fa86d99c2c3a
test and fix wf history security
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2500
diff
changeset
|
586 |
# but not from_state/to_state |
5557
1a534c596bff
[entity] continue cleanup of Entity/AnyEntity namespace
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
5556
diff
changeset
|
587 |
aff.cw_clear_relation_cache('wf_info_for', role='object') |
2501
fa86d99c2c3a
test and fix wf history security
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2500
diff
changeset
|
588 |
self.assertRaises(Unauthorized, |
fa86d99c2c3a
test and fix wf history security
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2500
diff
changeset
|
589 |
self.execute, 'SET TI from_state S WHERE TI eid %(ti)s, S name "ben non"', |
5174
78438ad513ca
#759035: Automate addition of eid cachekey in RQL analysis
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4915
diff
changeset
|
590 |
{'ti': trinfo.eid}) |
2501
fa86d99c2c3a
test and fix wf history security
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2500
diff
changeset
|
591 |
self.assertRaises(Unauthorized, |
fa86d99c2c3a
test and fix wf history security
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2500
diff
changeset
|
592 |
self.execute, 'SET TI to_state S WHERE TI eid %(ti)s, S name "pitetre"', |
5174
78438ad513ca
#759035: Automate addition of eid cachekey in RQL analysis
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4915
diff
changeset
|
593 |
{'ti': trinfo.eid}) |
2501
fa86d99c2c3a
test and fix wf history security
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
2500
diff
changeset
|
594 |
|
0 | 595 |
if __name__ == '__main__': |
596 |
unittest_main() |